[WIP]feat: Support shared vpc in GCP vendor access module

examples/gcp/vendor-access/main.tf

@@ -0,0 +1,17 @@
+# Grant access
+module "sn_managed_cloud" {
+  source  = "github.com/streamnative/terraform-managed-cloud//modules/gcp/vendor-access?ref=v3.8.0"
+  project = "<YOUR_PROJECT>"
+}
+
+# Grant access when using shared vpc
+module "sn_managed_cloud_shared_vpc" {
+  source          = "github.com/streamnative/terraform-managed-cloud//modules/gcp/vendor-access?ref=v3.8.0"
+  project         = "<YOUR_PROJECT>"
+  project_num     = "<YOUR_PROJECT_NUM>"
+  network_project = "<YOUR_NETWORK_HOST_PROJECT>"
+  shared_vpc_subnets = [{
+    name   = "<SHARED_SUBNET_NAME>"
+    region = "<SHARED_SUBNET_REGION>"
+  }]
+}

modules/gcp/vendor-access/README.md

@@ -492,6 +492,9 @@ After [authenticating to your GCP account](https://registry.terraform.io/provide
 
    </p></details>
 
+### Examples
+More examples of the modules can be found in the `examples/gcp/vendor-access` directory.
+
 ## Terraform Docs
 ### Requirements
 
@@ -514,6 +517,8 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [google_compute_subnetwork_iam_member.network_user](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork_iam_member) | resource |
+| [google_project_iam_member.service_agent_user](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.sn_access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_service.gcp_apis](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
 
@@ -522,8 +527,11 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_extra_google_services"></a> [extra\_google\_services](#input\_extra\_google\_services) | Extra google API services need to be enabled. | `list(string)` | `[]` | no |
-| <a name="input_project"></a> [project](#input\_project) | The project id of the target project | `string` | n/a | yes |
+| <a name="input_network_project"></a> [network\_project](#input\_network\_project) | The project id of the network host project. | `string` | `""` | no |
+| <a name="input_project"></a> [project](#input\_project) | The project id of the target project. | `string` | n/a | yes |
+| <a name="input_project_num"></a> [project\_num](#input\_project\_num) | The project number of the target project, required when configuring network project. | `string` | `""` | no |
 | <a name="input_roles"></a> [roles](#input\_roles) | The role list will be associated with StreamNative GSA. | `list(string)` | <pre>[<br>  "roles/editor",<br>  "roles/compute.admin",<br>  "roles/compute.loadBalancerAdmin",<br>  "roles/compute.networkAdmin",<br>  "roles/container.admin",<br>  "roles/dns.admin",<br>  "roles/storage.admin",<br>  "roles/iam.serviceAccountAdmin",<br>  "roles/iam.workloadIdentityPoolAdmin",<br>  "roles/resourcemanager.projectIamAdmin"<br>]</pre> | no |
+| <a name="input_shared_vpc_subnets"></a> [shared\_vpc\_subnets](#input\_shared\_vpc\_subnets) | The subnet list shared by network host project. | <pre>list(object({<br>    region = string<br>    name   = string<br>  }))</pre> | `[]` | no |
 | <a name="input_streamnative_support_access_gsa"></a> [streamnative\_support\_access\_gsa](#input\_streamnative\_support\_access\_gsa) | The GSA will be used by StreamnNative support team. | `list(string)` | <pre>[<br>  "[email protected]"<br>]</pre> | no |
 | <a name="input_streamnative_vendor_access_gsa"></a> [streamnative\_vendor\_access\_gsa](#input\_streamnative\_vendor\_access\_gsa) | The GSA will be used by StreamnNative cloud. | `list(string)` | <pre>[<br>  "[email protected]",<br>  "[email protected]"<br>]</pre> | no |
 

modules/gcp/vendor-access/common.tf

@@ -1,6 +1,27 @@
 variable "project" {
   type        = string
-  description = "The project id of the target project"
+  description = "The project id of the target project."
+}
+
+variable "project_num" {
+  type        = string
+  default     = ""
+  description = "The project number of the target project, required when configuring network project."
+}
+
+variable "network_project" {
+  type        = string
+  default     = ""
+  description = "The project id of the network host project."
+}
+
+variable "shared_vpc_subnets" {
+  type = list(object({
+    region = string
+    name   = string
+  }))
+  default     = []
+  description = "The subnet list shared by network host project."
 }
 
 variable "roles" {

modules/gcp/vendor-access/main.tf

@@ -1,10 +1,10 @@
 locals {
-  streamnative_gsa = concat(var.streamnative_vendor_access_gsa, var.streamnative_support_access_gsa)
+  streamnative_gsa = formatlist("serviceAccount:%s", concat(var.streamnative_vendor_access_gsa, var.streamnative_support_access_gsa))
   iam_bindings = flatten([
     for role in var.roles : [
       for gsa in local.streamnative_gsa : {
         role : role,
-        member : format("serviceAccount:%s", gsa),
+        member : gsa,
       }
     ]
   ])
@@ -42,12 +42,47 @@ resource "google_project_iam_member" "sn_access" {
   depends_on = [google_project_service.gcp_apis]
 }
 
+locals {
+  comput_network_user_gsa = var.network_project != "" ? concat(local.streamnative_gsa, [format("serviceAccount:%[email protected]", var.project_num)]) : []
+  comput_network_user_iam_binding = flatten([
+    for subnet in var.shared_vpc_subnets : [
+      for gsa in local.comput_network_user_gsa : {
+        region : subnet.region,
+        subnet : subnet.name,
+        member : gsa,
+      }
+    ]
+  ])
+  container_host_service_agent_user = var.network_project != "" ? [format("serviceAccount:service-%[email protected]", var.project_num)] : []
+}
+
+resource "google_compute_subnetwork_iam_member" "network_user" {
+  for_each = {
+    for index, binding in local.comput_network_user_iam_binding :
+    index => binding
+  }
+  project    = var.network_project
+  region     = each.value.region
+  subnetwork = each.value.subnet
+  role       = "roles/compute.networkUser"
+  member     = each.value.member
+  depends_on = [google_project_service.gcp_apis]
+}
+
+resource "google_project_iam_member" "service_agent_user" {
+  count      = length(local.container_host_service_agent_user)
+  project    = var.network_project
+  role       = "roles/container.hostServiceAgentUser"
+  member     = local.container_host_service_agent_user[count.index]
+  depends_on = [google_project_service.gcp_apis]
+}
+
 output "google_services" {
-  value = local.google_services
+  value       = local.google_services
   description = "Enabled google services."
 }
 
 output "iam_bindings" {
-  value = local.iam_bindings
+  value       = local.iam_bindings
   description = "Configured iam policies."
 }